12.6  SSH Configuration12.6.1  Introduction to SSH

When routers are connected by remote users across insecure networks, secure shell (SSH) can provide them authentication and security fencing off IP spoofing, plain-text password interception and other attacks. Your router can work as an SSH server or/and an SSH client. As an SSH server, it may accept connections from multiple SSH clients; as an SSH client, it can establish SSH connections with the routers and UNIX hosts working as SSH servers. Currently, SSH 2.0 is supported. Figure 12-9 and Figure 12-10 illustrate two methods for establishing an SSH channel between a client and a server:         Connect through a LAN         Connect through a WAN

Figure 12-9 Establish an SSH channel in a LAN

Figure 12-10 Establish an SSH channel through a WAN

To establish an SSH connection, the server and the client must go through the following five phases:1)       Version number negotiation

         The client starts a TCP connection to the server.         After the TCP connection is established, the server and the client negotiate a

version number.         If the negotiation succeeds, the key algorithm negotiation phase starts;

otherwise, the server tears down the TCP connection.2)       Key algorithm negotiation         The server generates an RSA key pair and an 8-byte random number, and

sends the portion of the public key and the random number to the client.         Both the server and the client use the public key of the server and the 8-byte

number as parameters to calculate a 16-byte session ID with the same algorithm.

         The client uses the public key from the server and a random number generated locally as parameters to calculate a session key.

         Using the public key from the server, the client encrypts the random number generated locally for session key calculation and sends the result to the server.

         Using the local private key, the server decrypts the data sent by the client and obtains the random number generated by the client.

         Using the local public key and the random number sent by the client as parameters, the server calculates the session key with the same algorithm used by the client.

Thus, the server and the client obtain the same session key. During the session, both ends use the same session key to perform encryption and decryption, thereby guaranteeing the security of data transfer.3)       Authentication mode negotiation         The client sends its username information to the server.         The server initiates a process to authenticate the user. If the user needs no

authentication, the server proceeds to session request phase directly.         The client adopts an authentication mode to authenticate the server till the

authentication succeeds or the server tears down the connection because of timeout.

   Note:

SSH provides two authentication modes: password and RSA.1) Password authentication procedure

     The client sends the username and password to the server.     The server compares the received username and password with the local

configuration. If it finds an exact match, the authentication succeeds.2) RSA authentication procedure

     The server configures the RSA public key of the client.     The client sends its RSA public key member modulo to the server.     The server verifies the member modulo. If the member modulo is valid, the

server generates a random number, encrypts it using the RSA public key from the client, and sends the encrypted information back to the client.

     The server and the client use the random number and the session ID as parameters to calculate authentication data.

     The client sends the authentication data it generated to the server.     The server compares the received authentication data with that locally

calculated. If they match, the authentication succeeds. 4)       Session request: If the authentication succeeds, the client sends a session

request to the server. When the server has successfully processed the request, SSH enters the interactive session phase.

5)       Interactive session: The client and the server exchange data till the session is over.

 

  Caution:If the router works as a SSH server, the client using SecureCRT and configured “Enable OpenSSH agent forwarding” cannot log onto the SSH server.

 

12.6.2  SSH Configuration

SSH configuration includes:

I. Configuring the SSH server

         Set the protocols supported on the current user interface         Create a local RSA key pair         Configure authentication mode for SSH user         Create SSH users         Set an interval for updating the server key (optional)         Set the timeout time of SSH authentication (optional)         Set maximum number of SSH authentication retries         Enter public key view         Enter public key edit view         Exit public key edit view         Assign public key for SSH user         Configure a service type for an SSH user         Set SSH version compatibility (optional)

II. Configuring the SSH client

         Enable the SSH client         Configure public key to server associations         Configure SSH server first-time authentication

12.6.3  Configuring the SSH Server

I. Setting the protocols supported on user interface

This configuration is used to specify the protocols supported by the system in user interface view. By default, the system supports Telnet and SSH. If SSH is enabled but the local RSA key is not configured, the user cannot login through SSH. The configuration will take effect in next login.Perform the following operation in User interface view of VTY type.

Table 12-16 Set the protocols supported by system in user interface

Operation Command

Set the protocols supported by system in user interface protocol inbound { all | ssh | pad | }

 

  Caution:If the protocol supported by the user interface is set to SSH, you must set the authentication mode to authentication-mode scheme to ensure a successful login; if you use authentication-mode password or authentication-mode none, the configuration of the protocol inbound ssh command fails. Likewise, an SSH-enabled user interface does not allow the configuration of authentication-mode password or authentication-mode none.

 

II. Creating/destroying a local RSA key pair

This configuration is used to generate the local server and host key pair. If there has been RSA now, the system will ask whether to replace the former key. The naming modes of generated key pairs go as follows respectively: router name +server and router name +host. The server key differs in 128 digits at least from host key. The minimum length of server and host key is 512 bits and the maximum length is 2048 bits.By default, the key length is 1024 digits.Perform the following operation in system view.

Table 12-17 Configure and destroy a local RSA key pair

Operation Command

Create a local RSA key pair rsa local-key-pair create

Destroy a local RSA key pair rsa local-key-pair destroy

 

  Caution:The primary operation to accomplish SSH login is to configure and generate local RSA key pair. Before performing other SSH configurations, you must accomplish the configuration of the rsa local-key-pair create command to generate local key pair. It is unnecessary to execute this command again after the router restarts up.If the router works as a SSH2.0 server, the key pair you use the rsa local-key-pair create command to generate must be at least 768 bits; otherwise, the SSH2.0 client cannot log on successfully. For the RSA authentication to a SSH2.0 client, the key pair generated by the SSH2.0 client must be at least 768 bits as well.

 

III. Configuring an authentication mode for SSH users

This configuration is used to specify an authentication mode for SSH users. The newly configured authentication mode takes effect at next login.Perform the following configuration in system view.

Table 12-18 Configure authentication mode for SSH user

Operation Command

Specify an authentication mode for an SSH user

ssh user username authentication-type { password | rsa | all }

Restore the default, where login is always denied

undo ssh user username authentication-type

Specify a default authentication mode for SSH users

ssh authentication-type default { password | rsa | all | password-publickey }

Delete the specified default authentication mode for SSH users undo ssh authentication-type default

 The authentication mode specified using the ssh user username authentication-type command is only for an SSH user while the one specified using the ssh authentication-type default command is the default authentication mode for all SSH users. For an SSH user, the authentication mode configured using the ssh user username authentication-type command is always preferred to the one configured using the ssh authentication-type default command.

   Note:If password authentication is adopted, the user name specified in the ssh user authentication-type command must be consistent with the user name defined in AAA. If RSA authentication is adopted, the value of this argument is a local SSH user name and needs not to be defined in AAA.

 

IV. Creating SSH users

All SSH users need authentication. Before creating an SSH user with the ssh user command, you must specify a default authentication mode with the ssh authentication-type default command. Perform the following configuration in system view.

Table 12-19 Create an SSH user

Operation Command

Create an SSH user ssh user username

Delete an SSH user undo ssh user username

   Note:If password authentication is adopted, the user name specified in the ssh user command must be consistent with the user name defined in AAA. If RSA authentication is adopted, the value of this argument is a local SSH user name and needs not to be defined in AAA.If the default authentication mode for SSH users is password and local AAA authentication is adopted, you are not necessarily use the ssh user command to create an SSH user. Instead, you can use the local-user command to create a user name and its password and then specify the service type for the user to SSH.

 

V. Setting an interval for updating the server key

To ensure security of the connections to the SSH server, update its key regularly. Perform the following configuration in system view.

Table 12-20 Set an interval for updating the SSH server key

Operation Command

Set an interval for updating the SSH server key ssh server rekey-interval hours

Restore the default update interval undo ssh server rekey-interval

 By default, the server key is not updated.

VI. Setting the timeout time of SSH authentication

This configuration is used to set the time-out time of SSH authentication.Perform the following configuration in system view.

Table 12-21 Set the timeout time of SSH authentication

Operation Command

Set the timeout time of SSH authentication ssh server timeout seconds

Operation Command

Restore the default time-out time of SSH authentication undo ssh server timeout

 By default, the time-out time is 60 seconds.

VII. Setting maximum number of SSH authentication retries

To prevent malicious behaviors such as malicious guess, limit the number of SSH authentication retries.Perform the following configuration in system view.

Table 12-22 Set maximum number of SSH authentication retries

Operation Command

Set maximum number of SSH authentication retries

ssh server authentication-retries times

Restore default maximum number of SSH authentication retries

undo ssh server authentication-retries

 Maximum number of SSH authentication retries defaults to 3. For password-public authentication, maximum number of SSH authentication retries must be greater than two, one of which is for sending the public key. Otherwise, the SSH client cannot log into the SSH server.

VIII. Configuring client public key

Two ways of configuring client public keys are available. 1)       Manual configurationEnter public key view with the rsa peer-public-key command. With public-key-code begin and public-key-code end commands, you can input or copy client public key manually.

Table 12-23 Configuring a client public key manually

Operation Command

At the SSH 1.0/2/0 client, generate a random RSA key pair ––

Convert the public key part to PKCS code with software called SSHKEY.EXE ––

Configure the client public key on the router

Enter public key view (in system view) rsa peer-public-key key-name

Enter public key edit view to copy the public key converted by SSHKEY.EXE (in public key view)

public-key-code begin

Exit to public key view, with the public key being saved automatically (in public key edit view)

public-key-code end

Operation Command

Exit to system view (in public key view) peer-public-key end

 The client public key is a hexadecimal character string generated through PKCS coding of SSHKEY.EXE software. The following shows configuration details.[Router] rsa peer-public-key quidway002 [Router-rsa-public-key] public-key-code begin[Router-rsa-key-code] 308186028180739A291ABDA704F5D93DC8FDF84C427463[Router-rsa-key-code] 1991C164B0DF178C55FA833591C7D47D5381D09CE82913[Router-rsa-key-code] D7EDF9C08511D83CA4ED2B30B809808EB0D1F52D045DE4[Router-rsa-key-code] 0861B74A0E135523CCD74CAC61F8E58C452B2F3F2DA0DC[Router-rsa-key-code] C48E3306367FE187BDD944018B3B69F3CBB0A573202C16[Router-rsa-key-code] BB2FC1ACF3EC8F828D55A36F1CDDC4BB45504F020125[Router-rsa-key-code] public-key-code end[Router-rsa-public-key] peer-public-key end2)       With the rsa peer-public-key key-name import sshkey filename command

Table 12-24 Configure a client public key with the rsa peer-public-key key-name import sshkey filename command

Operation Command

At the SSH 1.5/2.0 client, generate a random RSA key pair and save the key file ––

Configure the client public key on the router

Send the public key file to the Flash on the router through FTP/TFTP

Refer to section 5.2   “System Management Overview” and section 5.3   “System Management Overview”.

Perform public key format conversion and configuration

rsa peer-public-key key-name import sshkey filename

 This way is more convenient and recommended.  

  Note:The filename argument must take the name of the public key file saved on the Flash.

 

IX. Assigning an SSH user a public key

Perform the following configuration in system view to assign a public key to an SSH user.

Table 12-25 Assign an SSH user a public key

Operation Command

Assign a public key to an SSH user ssh user username assign rsa-key keyname

Remove the association of a public key to an SSH user

undo ssh user username assign rsa-key

 

X. Configuring a service type for an SSH user

Perform the following configuration in system view to configure a service type for an SSH user.

Table 12-26 Configure a service type for an SSH user

Operation Command

Configure a service type for an SSH user

ssh user username service-type { stelnet | sftp | all }

Restore the default service type for an SSH user undo ssh user username service-type

 The default service type for an SSH user is stelnet.

XI. Setting SSH version compatibility

Perform the following configuration in system view to enable/disable the SSH server to work with SSH1.X clients.

Table 12-27 Enable/disable the SSH server to work with SSH1.X clients

Operation Command

Enable the SSH server to work with SSH1.X clients ssh server compatible_ssh1x enable

Disable the SSH server to work with SSH1.X clients undo ssh server compatible_ssh1x

 By default, the SSH server works with SSH1.X clients.

XII. Specifying a source interface/IP address for the SSH server

Perform the following configuration in system view.

Table 12-28 Specify a source interface or source IP address for the SSH server

Operation Command

Specify a source interface for the SSH server

ssh-server source-interfaceinterface-type interface-number

Delete the source interface specified for the SSH server undo ssh-server source-interface

Specify a source IP address for the packets sent by the SSH server ssh-server source-ip ip-address

Delete the source IP address for the packets sent by the SSH server undo ssh-server source-ip

 By default, the source IP address in each packet sent by the SSH server is the IP address of the interface where the packet is sent out. 

  Note:You may specify a source IP address for the packets sent by the Telnet server with the ssh-server source-interface command or with the ssh-server source-ip command. If both commands are configured, the one configured later overrides the previous one.

 

12.6.4  Configuring the SSH Client

I. Enabling the SSH client

When enabling the SSH client to SSH to the server, you need to specify the preferred key exchange algorithm, encryption algorithm and HMAC algorithm between the client and the server.Perform the following configuration in system view.

Table 12-29 Enable the SSH client

Operation Command

Enable the SSH client

ssh2 { host-ip | host-name } [ port-num ] [ prefer_kex { dh_group1 | dh_exchange_group } ] [ prefer_ctos_cipher { des | 3des | aes128 } ] [ prefer_stoc_cipher { des | 3des | aes128 } ] [ prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } ] [ prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 } ]

 

II. Configuring public key to server associations

You need to associate an SSH server with the name assigned to its public key. When connecting to this server, the client verifies its trustworthiness based on this association.Perform the following configuration in system view.

Table 12-30 Associate an SSH server with a public key

Operation Command

Associate an SSH server with its public key

ssh client server assign rsa-key keyname

Remove an SSH server to public key association

undo ssh client server assign rsa-key keyname

 

III. Configuring SSH server first-time authentication

The configuration of first-time authentication decides the action taken by the SSH client when it accesses a server in the absence of the server’s public key:          With first-time authentication enabled, the SSH client can attempt to access

the server and get the server’s public key through negotiation. Then this public key could be saved on the client for next access.

         With first-time authentication disabled, the SSH client rejects to access a server. To access the server, you must save its public key on the SSH client beforehand.

Perform the following configuration in system view.

Table 12-31 Configure first-time authentication

Operation Command

Enable SSH server first-time authentication ssh client first-time enable

Disable SSH server first-time authentication undo ssh client first-time

 By default, first-time authentication is enabled on the SSH client.

IV. Specifying a source interface/IP address for the SSH client

Perform the following configuration in system view.

Table 12-32 Specify a source interface or source IP address for the SSH client

Operation Command

Specify a source interface for the SSH client server

ssh2 source-interface interface-typeinterface-number

Delete the source interface specified for the SSH client undo ssh2 source-interface

Specify a source IP address for the packets sent by the SSH client ssh2 source-ip ip-address

Delete the source IP address for the packets sent by the SSH client undo ssh2 source-ip

 By default, the source IP address in each packet sent by the SSH client is the IP address of the interface where the packet is sent out. 

  Note:You may specify a source IP address for the packets sent by the Telnet server with the ssh2 source-interface command or with the ssh2 source-ip command. If both commands are configured, the one configured later overrides the previous one.

 

12.6.5  Displaying and Debugging

After the above configuration, execute display command in any view to display the running of the SSH configuration, and to verify the configuration.The task of displaying and debugging SSH is used to view the configuration of various SSH users to utilize the system resource better and accomplish the secure information connection.

Table 12-33 View relevant information about SSH

Operation Command

View the pubic key of host and server key pair display rsa local-key-pair public

Display the RSA public key of client display rsa peer-public-key [ brief | name keyname ]

Display SSH status information and session information display ssh server { status | session }

Operation Command

Display SSH user information display ssh user-information [ username ]

Display the current source IP address setting of the SSH server display ssh-server source-ip

Display the current source IP address setting of the SSH client display ssh2 source-ip

 Executing the debugging command in user view.

Table 12-34 Debug information on SSH

Operation Command

Enable SSH sever debugging debugging ssh server { vty index | all }

Disable SSH server debugging undo debugging ssh server { vty index | all }

Enable SSH client debugging debugging ssh client

Disable SSH client debugging undo debugging ssh client

Enable RSA debugging debugging rsa

Disable RSA debugging undo debugging rsa

 

12.6.6  SSH Configuration Example

I. Network requirements

As shown in Figure 12-11, the console terminal (the SSH client) is directly connected to the router through an Ethernet interface. Run SSH2.0 client software on the terminal for securely logging onto the router for configuration and management. The username of the SSH client is client001@169.254.0.1 and the password is huawei.

II. Network diagram

Figure 12-11 Network diagram for SSH server configuration

III. Configuration procedure

1)       Configure the SSH server (the router)Configuration procedure varies with login authentication mode. However, all procedures must start with creating local RSA key pairs using the following command:[Router] rsa local-key-pair create

 

  Note:If local key pairs exist, skip this step.

          Set the authentication method for the SSH user to password.[Router] user-interface vty 0 4[Router-ui-vty0-4] authentication-mode scheme[Router-ui-vty0-4] protocol inbound ssh[Router-ui-vty0-4] quit[Router] local-user client001[Router-luser-client001] password simple huawei[Router-luser-client001] service-type ssh[Router-luser-client001] quit[Router] ssh user client001 authentication-type password[Router] domain 169.254.0.1[Router-isp-169.254.0.1] scheme local[Router-isp-169.254.0.1] quit

The default value for authentication time-out time, retry times and update time of server key of SSH can be adopted. After these configurations, you can run SSH2.0 on a terminal connected to the router. Then, you can access the router with username client001 and password huawei.         Set the authentication method for SSH user to RSA.[Router] user-interface vty 0 4[Router-ui-vty0-4] authentication-mode scheme[Router-ui-vty0-4] protocol inbound ssh[Router-ui-vty0-4] quit[Router] ssh user client002 authentication-type RSA

Then, use the SSH2.0 client software to randomly generate the RSA key pairs (including public and private keys) and synchronize the public key to the specified rsa peer-public-key on the SSH server. The RSA public key discussed here is a hexadecimal string coded using the software SSHKEY.EXE provided by our company according to the PKCS standard.[Router] rsa peer-public-key quidway002 [Router-rsa-public] public-key-code begin[Router-key-code] 308186028180739A291ABDA704F5D93DC8FDF84C427463[Router-key-code] 1991C164B0DF178C55FA833591C7D47D5381D09CE82913[Router-key-code] D7EDF9C08511D83CA4ED2B30B809808EB0D1F52D045DE4[Router-key-code] 0861B74A0E135523CCD74CAC61F8E58C452B2F3F2DA0DC[Router-key-code] C48E3306367FE187BDD944018B3B69F3CBB0A573202C16[Router-key-code] BB2FC1ACF3EC8F828D55A36F1CDDC4BB45504F020125[Router-key-code] public-key-code end[Router-rsa-public] public-key-code end[Router] ssh user client002 assign rsa-key quidway0022)       Configure the SSH client         When password authentication applies, you need to configure at the client the

IP address of a reachable interface on the SSH server or the router, 169.254.0.1 in this example, set the protocol type to SSH, use SSH version 2. After opening the SSH connection, enter the user name and password to access the router configuration interface.

login as: client001Sent username "client001"client001@169.254.0.1's password: ***************************************************************************  Copyright(c) 1998-2006 Huawei Technologies Co., Ltd.  All rights reserved.**  Without the owner's prior written consent,                                  **  no decompiling or reverse-engineering shall be allowed.                     ***************************************************************************

 <Router>

         When RSA authentication applies, you must specify an RSA private key file, which is generated randomly by the client software in addition to the configuration tasks done with password authentication. After opening the SSH connection, enter the user name to access the router configuration interface.

login as: client002Sent username "client002"Trying public key authentication.No passphrase required. ***************************************************************************  Copyright(c) 1998-2006 Huawei Technologies Co., Ltd.  All rights reserved.**  Without the owner's prior written consent,                                  **  no decompiling or reverse-engineering shall be allowed.                     ***************************************************************************

 <Router>

 

  Caution:To set up an SSH connection, make sure that the user name provided at login must be the same as the one configured on the router with the ssh user username command.

 

12.6.7  SSH Client Configuration Example

I. Network requirements

Router B is working as the SSH client with user name client003. Router A is working as the SSH server with IP address 10.165.87.136.

II. Network diagram

Figure 12-12 Network diagram for SSH client configuration

III. Configuration procedure

1)       Configure the SSH server (Router A)Refer to the configuration procedure in section 12.6.6   “SSH Configuration Example”.2)       Configure the SSH client (Router B)

# Enable SSH server first-time authentication. [Router] ssh client first-time enable

# Enable the SSH client. The configuration varies depending on the adopted authentication mode.         When password authentication and the default algorithms are adopted, do the

following:[Router] ssh2 10.165.87.136Please input the username: client003Trying 10.165.87.136Press CTRL+K to abortConnected to 10.165.87.136...The Server is not authenticated.Do you continue access it?(Y/N):yDo you want to save the server's public key?(Y/N):yEnter password:      ***************************************************************************  Copyright(c) 1998-2006 Huawei Technologies Co., Ltd.  All rights reserved.**  Without the owner's prior written consent,                                  **  no decompiling or reverse-engineering shall be allowed.                     ***************************************************************************

 <Router>         When RSA authentication is adopted, do the following:[Router] ssh2 10.165.87.136 22 perfer_kex dh_group1 perfer_ctos_cipher des perfer_stoc_cipher 3des perfer_ctos_hmac md5 perfer_stoc_hmac md5Please input the username: client003Trying 10.165.87.136...Press CTRL+K to abortConnected to 10.165.87.136...The Server is not authenticated.Do you continue access it?(Y/N):yDo you want to save the server's public key?(Y/N):y***************************************************************************  Copyright(c) 1998-2006 Huawei Technologies Co., Ltd.  All rights reserved.**  Without the owner's prior written consent,                                  **  no decompiling or reverse-engineering shall be allowed.                     *************************************************************************** <Router>